Secure login protocol

Field of the invention

The invention relates to authentication of a user before a server.

Background of the invention

The Internet comprises a vast number of online services which client users can log in to. The individual client user's access to an online service is most often dependent on a login, which traditionally consists of a 'username' and a 'password'. Username and password are to be seen as two keys, which when used in joint 'opens' an online service to the client user, if the server system behind the online system 'finds' the client user's username and password on the list of clients who have a right to access the online service.

If a server system depends on two criteria for login like 'username' and 'password' alone, it will grant access to a client user who is submitting a valid 'username' and 'password' to the server system. This means that if the client user loses his username and password to a given online service, a finder of the username and password will be able to access that online service.

Most often client users lose their username and password to illegal programs that are, without the client user's acceptance, stored at the user's computer and from there logs the user's keystrokes when he is in the process of logging onto a specific online service. The collected keystrokes are then sent by the illegal program via the Internet to unauthorized individuals who may then gain access to the online service.

Summary of the invention

The present invention facilitates secure authentication of a user on a server computer. This is useful for instance as part of a homebanking login procedure.

A first aspect of the invention is a method for providing a secret at a client computer for use in an authentication process. The method comprises:

• the client computer receiving from a server computer, information representing o a first set of data elements, and o a second set of data elements, and o a data association between the first set and the second set, through which data association a data element from the first set is uniquely associated with a data element in the second set;

• providing a first subset comprising a selection of data elements from the first set of data elements; • the client computer providing a second subset of data elements, the second subset comprising those data elements in the second set of data elements that are associated with the data elements in the first subset via said data association;

• providing the secret by evaluating an encryption algorithm that depends on an element from the second subset and a predefined encryption data element.

The first set of data elements could be a set of pictures or a set of audio files or other information. The second set of data elements could for instance be a set of integer numbers. In this scenario, the data association could be a numeration of the images. The server computer provides the data association. The information, comprising the first set (images, for instance) and the second set (integers, for instance) and the data association (the mapping between the images and the numbers), is sent to the client computer. Advantageously, the server computer forms the data association randomly. The secret will be used as a passkey for logging onto the server computer. Other second sets of data elements could consist of hexadecimal numbers (consisting of combinations of letters A-F and integers 0-9), or could consist of another group of characters from the ASCII character in general. They can all be converted to bit strings and therefore be used in an encryption algorithm.

The number of elements in the first data set might be 100, and it will be clear from an example provided below that the first subset advantageously is a proper subset (of the first set of data elements), meaning that there are elements in the first set that are not comprised in the first subset. (By virtue of the data

association being a one-to-one association, the second subset will be a proper subset of the second set of data elements.)

The said information is typically transmitted over the internet and/or other network. In a homebanking scenario, the network typically comprises the Internet.

The encryption algorithm can be selected among many different encryption methods, as will be exemplified below. In the case where images are numerated, the selection will result in a second subset comprising numerals determined via the data association based on the first subset. These can be combined in any way, such as by concatenation, by adding them together, by forming their product etc, by bit operations directly on bit representations of the second subset of elements, etc. In the end, the result can be represented, one way or another, by a bit string, as can the encryption data element (which might for instance be numerals, ASCII characters, etc.), and thus can be handled arithmetically. The encryption can for instance consist of multiplying the encryption data element by the combined group of numbers, or adding the two, as discussed above in relation to the combining of elements from the second subset. The possibilities are many. The process is often referred to as one-time-padding, and the result is that the combination of e.g. the numerals (the elements from the second subset) becomes encrypted (are hidden from plain view). The secret - the result of the encryption - can be obtained only when the encryption data element and the combination of the group of numbers are known. The encryption (the algorithm) needs not be reversible. Advantageously, it is not, so that neither the second subset nor the encryption data element can be obtained.

To facilitate the method, at least a part of the first set of data elements and/or a part of the second set of data elements and/or a part of the data association are presented via a first user interface. Providing the entire data sets and data association is the most straightforward alternative. A user interface in this context might for instance be a display (by way, for instance, of an internet browser on a computer screen) or a loudspeaker. Thereby, the data sets and the data association can be made available to a user. The user may then provide the selection by simply viewing the data association or by clicking one or more of the images, such as in a browser where each image has been made clickable or

otherwise selectable (radio button, checkmarks, touchable etc.) to obtain the second subset. The selecting could also be performed for instance via a voice interface (voice recognition) through microphone means.

Key logging is a wide-spread problem today. In order to avoid logging of the encryption data element, it is advantageous to provide the second subset manually to an evaluation unit which has access to the predefined encryption data element and which performs said evaluating and provides the resulting secret. Alternatively, the encryption data element can be provided to the evaluation unit manually by the user along with the second subset or a part thereof. Such an evaluation unit could advantageously be a calculator-type device, such as a simple calculator or a computing unit specifically designed for the purpose. A mobile phone with implementing appropriately designed software is another example of a unit which could be used for the purpose of evaluating and providing the secret. When the second subset has been entered into the encryption unit, the encryption unit provides the secret in response. The encryption unit might be in operable data connection with the client computer whereby the secret can be transmitted electronically to the client computer, or it could be separated from the client computer and operate independently. By separating the evaluation unit and the client computer, a key logging problem at the client computer is avoided. In this case, a user interface may allow a user to obtain the determined secret, for instance visually or audibly, from the evaluation unit.

A second aspect of the invention provides an authentication method. A user of a client computer wishes to log onto a server computer. The method comprises:

• the server computer receiving an authentication request from a client computer;

• the server computer forming an information representing a first set of data elements and a second set of data elements and a data association between the first set and the second set, through which data association a data element from the first set is uniquely associated with a data element from the second set;

• the server computer providing said information to the client computer;

• the server receiving a first secret in response to providing said information to the client computer;

• the server providing a second secret by evaluating an encryption algorithm that depends on a predefined subset of data elements from the second set and a predefined encryption data element;

• the server comparing the first secret and the second secret and providing a positive authentication indication if the first secret and the second secret are identical.

The client computer provides a secret (first secret) as described previously. This first secret is based on a selection on the client computer among the data elements in the first set of data elements. A first secret is advantageously determined no matter what the selection is. The server computer comprises a predefined subset of data elements, which is a "password" in itself belonging to a user. The first secret (the secret received from the client computer) will be identical to the second secret that the server itself has calculated based on the predefined subset of data elements only when the subset selected at the client computer is identical to the predefined subset. In a banking scenario, a user of the client computer provides some sort of identity, such as a username or an account number. At the server, this identity is tied to a specific predefined subset. In this way, each user can have his favourite selection of data elements from the first set. This will be exemplified later on.

To enhance security, the server may replace the data association with another data association if the first secret and the second secret are not identical. This is advantageous because the combination of the elements in the second subset becomes different even though the same elements from the first set are selected at the client computer. This is greatly increases security because it greatly reduces or eliminates the value of systematic guesswork.

Access may be further limited by ensuring that a positive authentication indication is provided by the server only if an active IP number of the client computer matches an IP number provided at the server computer. Such a property is well known from some existing authentication systems.

In a third aspect, the invention provides computer hardware adapted to facilitate a method falling under one of the methods described above in relation to the first and second aspects of the invention. Such computer hardware may be entirely

dedicated, such as a programmed ASIC. Alternatively, the hardware may comprise a personal computer loaded with software suitably programmed to make the personal computer operative to facilitate the said methods.

A fourth aspect provides a computer program product comprising software that, when executed on suitable computer hardware, enables the computer hardware to facilitate a method according to one of the methods according to the first and second aspects. The software may for instance be recorded on a DVD, a CD, a hard drive, a flash memory or other storage media comprising the product.

Brief description of the drawings

Fig. 1 illustrates the exchange of data between a client and a server during an authentication process in accordance with the present invention.

Fig. 2 illustrates to data sets used in a secret provision method in accordance with the present invention.

Fig. 3 illustrates a data association between the two data sets. The data association is created by the server.

Fig. 4 illustrates a system in which an authentication process is in progress.

Fig. 5 is a flow chart that illustrates the process from initiation of an authentication process to the authentication decision.

Description of selected embodiments

In the following, the invention will be described by way of examples. The invention will be described using examples wherein the first data set is a set of images and the second set of data elements consists of integers. The data association is a numbering of the images in the first data set with the integers from the second data set. Fig. 2 illustrates the first data set 210 consisting of three images 211 (the Eiffel tower), 212 (a car), 213 (a clock). Fig. 2 also illustrates the second data set 220 consisting of the integer "1" (221), the integer "2" (222) and the integer "3" (223). In a real-life scenario, the number of images is "high", such as 10 or 50 or 100.

Fig. 1 illustrates a client-server system comprising a client computer 110 and a server computer 120. In the present scenario, a user wishes to log in on the server. The two computers are connected with a network connection 102 over a data network. The data network may for instance comprise a connection over internet, a wireless connection and so on. In the present example, the client and server communicate using the HTTP protocol.

To initiate an authentication process to authorize a user of client computer 110 to use information on server computer 120, the client 110 sends a request "REQ" to the server 120, as illustrated on Fig. 1. The request comprises identification information, such as a user ID and/or a password, or other identification. The request causes the server to provide the first data set S ₁ (images) and the second data set S ₂ (integers) and a data association S ₁ ^S ₂ relating the images to the integers. The data association ("DA") is randomly produced by the server. The user together with the client computer create a secret ("sec"), which is sent to the server. To decide whether to authorize the user, the server compares the received secret to a secret that it itself has created based on the identification information from REQ and the data association, DA. If the two secrets agree, the user is authorized to access information on the server.

Fig. 3 illustrates a data association 310 between the first and second data sets from Fig. 2. After having received the request from the client, the server provides the data association, consisting of associations 301, 302 and 303. Association 301 associates the tower 211 with the integer "2", association 302 associates the car with the integer "3", and the association 303 associates the clock with the integer

The data sets 210 and 220 and the data association 310 are transmitted to the client. In order to allow the user to proceed with the authentication attempt, the transmitted data is displayed at a display connected to the client computer. Fig. 4 illustrates the client computer 110 connected to a display 401 and a keyboard 402.

During the authentication process, the display shows the association, for instance as illustrated on the display 401 in Fig. 4, where the integers are shown in increasing order and the associated images are shown above them on display 401

connected to the client computer 110. The presentation type and shape can be selected as desired, as long as the data association is discernible. The numbers could also be left out and appear once a selection of images has been made by the user.

The actual authentication is based on two mechanisms. The first is that the user defines the final "passkey" by memorizing a sequence of pictures. In this example, we will assume that a passkey consists of two pictures, in a certain order. The user may for instance have chosen a passkey consisting of "car" and "tower", in that order. This might have significance to the user (or not). The user might think of "taking the car to the Eiffel tower", which might be his favourite pastime. The user then identifies the associated numbers, which are "3" and "2", in that order. These numbers, including their order, will be referred to as "resulting associated numbers", or RANs.

To obtain the key, the user obtains a secret by having a predefined algorithm be performed based on the identified numbers. Alternatively, as discussed above, the images might be clickable and once the user has clicked "car" and "tower", the "3" and "2" are displayed with an indication of their correct order.

As a second mechanism, the user also has a pin number (PN) which is used in the providing of the secret. The pin number is known to both the user and the server.

An example of an algorithm for obtaining the secret consists of concatenating the numbers and adding the pin number to the result. As an example, it will be assumed now that the user's pin number is "51". The concatenated numbers related to "car" and "tower" is "32", and adding the pin number gives the result "83", which is the secret in the case of the data association shown in Fig. 3 and 4. The pin number acts as a pad to hide/encrypt the concatenated numbers.

The user then enters the secret on the keyboard 402, and the secret is submitted to the server. The server performs the exact same calculation. Via the identification information (such as the aforementioned user ID or account number), the server knows who the user is and thus knows which pin number to use in its calculation of the secret. It knows the "passkey" already ("car" and "tower", in that order), and calculates the result "83" using the data association that it itself has provided. The server then compares the secret (result) to the one

provided by the user. In this example, the two are identical, and the user is authorized. In case the user had picked "tower" and then "car", the concatenated result is "23" and the resulting secret is "74", which is not identical to the result "83" calculated by the server. The server would deny access. As another example, selection of "car" and "clock", in that order, would yield a result of "82", which is also incorrect. Access would consequently be denied.

The example above of an algorithm is a simple one. To increase security, the algorithm can for instance be modified. Calculating

PN ³ + PN ²

where the exponents are the RANs resulting from the selection of "car" and

"tower" as discussed above and shown in Fig. 3 and 4. The selection of algorithm helps to hide the pin number and the RANs. These aspects are well known in the field of encryption, where the pin number is often referred to as a "one-time-pad". In the example above, the algorithm evaluates to 135252.

4-digits pin numbers are commonly used and will increase security. Longer pin numbers increase security further. With a pin number of 5153, as an example, the formula above evaluates to 136856269986. To obtain a "short" secret, the result above may be shortened for instance by keeping only the first 6 digits of the result, such as the initial six digits. The algorithm would therefore further include the step of selecting the first 6 digits. The resulting client secret would be 136856, which the user would then provide to the client computer, which in turn would transmit this secret to the server. The server would perform the exact same calculation and perform the comparison as usual. In case of coincidence between the client secret and the server secret, the user would be authorized.

A purpose of the invention is to make it difficult for key loggers to obtain the pin number. Providing the secret by having the client computer perform the calculation based on a pin number entered via a keyboard would defeat the purpose. Instead, a separate encryption computer ("evaluation unit") is used. Such a unit 430 is illustrated in Fig. 4. It may for instance take the shape of a conventional calculator, though specialized "on the inside". It is aware of the algorithm used to provide secrets. To obtain a secret, the user enters the RANs

into the unit, as illustrated by the dashed line 431 in Fig. 4. The unit then provides the secret, for instance via a display. The pin number can be entered by the user at the same time, or it can be stored in the unit more permanently. The former solution is clearly more desirable from a security point of view. Once the unit has provided the secret, the secret is entered into the client computer, either via a manual entering by the user, as illustrated by line 432, or automatically to the client as illustrated by line 433, for instance via a L)SB connection or wireless connection, both of which circumvent the need for entering the pin number via the keyboard which is potentially subject to key logging.

Ideally, the algorithm is complicated and an electronic evaluation unit is therefore indispensable.

The example above illustrates how two images are selected out of three available images (the two images form a proper subset of the set consisting of the three images). If there were 100 images to choose from, it would still be advantageous to use just a "small" number of images - simply because it is more difficult to remember a higher number of images.

Some authentication processes rely in part on user-dependent authorization files stored on the client computer. Such files are needed when attempting to access the desired server. The use of such files is well known. Such files can also be used with the present invention. By making the authorization file available to the evaluation unit, the information in the file can be used in the algorithm to provide increased security by introducing more entropy into the secret.

An example of an entire authentication process is illustrated in Fig. 5. First, the client makes a request 501 to the server after a user's initiation of the authentication process. The server provides the data sets and a data association, the server having created the latter in step 503. They are received at the client computer in step 503 and displayed appropriately as discussed previously. The user now takes the steps required to obtain the client secret, which includes selecting images and calculating the client secret, in step 505. The client secret is entered into the client computer and transmitted 507 to the server. The server also calculates 509 a secret, the server secret, and compares the client secret and the server secret in step 511. If they are identical, the user is authorized

(authenticated) to access the server, in step 515. Otherwise, the user is rejected and may get another chance to provide the correct client secret. To ensure that no information is reused, for instance in an attempt to guess the "passkey" (the "passkey" images and their correct sequence, if applicable), the server computer provides a new data association, in step 503, at each login attempt. This ensures that systematic guessing is hardly available to an intruder.

The person skilled in the art will recognize that the described features can be combined, where feasible, in a number of ways as design options.